Apache BookKeeper security advisories

Security information for Apache BookKeeper

Reporting

Do you want disclose a potential security issue for Apache BookKeeper? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Java Client Uses Connection to Host that Failed Hostname Verification

CVE-2022-32531 [CVE] [CVE json] [OSV json]

Last updated: 2023-07-12T14:53:21.686Z

Affected

  • Apache BookKeeper through 4.14.5
  • Apache BookKeeper at 4.15.0

Description

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves
the bookkeeper client vulnerable to a man in the middle attack.

The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.

References